udp,pasta: Periodically scan for ports to automatically forward
pasta supports automatic port forwarding, where we look for listening sockets in /proc/net (in both namespace and outside) and establish port forwarding to match. For TCP we do this scan both at initial startup, then periodically thereafter. For UDP however, we currently only scan at start. So unlike TCP we won't update forwarding to handle services that start after pasta has begun. There's no particular reason for that, other than that we didn't implement it. So, remove that difference, by scanning for new UDP forwards periodically too. The logic is basically identical to that for TCP, but it needs some changes to handle the mildly different data structures in the UDP case. Link: https://bugs.passt.top/show_bug.cgi?id=45 Link: https://github.com/rootless-containers/rootlesskit/issues/383 Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
4ccdeecb74
commit
457ff122e3
2 changed files with 75 additions and 2 deletions
3
passt.1
3
passt.1
|
@ -496,8 +496,7 @@ Default is \fBauto\fR.
|
||||||
.BR \-u ", " \-\-udp-ports " " \fIspec
|
.BR \-u ", " \-\-udp-ports " " \fIspec
|
||||||
Configure UDP port forwarding to namespace. \fIspec\fR is as described for TCP
|
Configure UDP port forwarding to namespace. \fIspec\fR is as described for TCP
|
||||||
above, and the list of ports is derived from listening sockets reported by
|
above, and the list of ports is derived from listening sockets reported by
|
||||||
\fI/proc/net/udp\fR and \fI/proc/net/udp6\fR, see \fBproc\fR(5),
|
\fI/proc/net/udp\fR and \fI/proc/net/udp6\fR, see \fBproc\fR(5).
|
||||||
when \fBpasta\fR starts (not periodically).
|
|
||||||
|
|
||||||
Note: unless overridden, UDP ports with numbers corresponding to forwarded TCP
|
Note: unless overridden, UDP ports with numbers corresponding to forwarded TCP
|
||||||
port numbers are forwarded too, without, however, any port translation.
|
port numbers are forwarded too, without, however, any port translation.
|
||||||
|
|
74
udp.c
74
udp.c
|
@ -1186,6 +1186,66 @@ static void udp_timer_one(struct ctx *c, int v6, enum udp_act_type type,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* udp_port_rebind() - Rebind ports to match forward maps
|
||||||
|
* @c: Execution context
|
||||||
|
* @outbound: True to remap outbound forwards, otherwise inbound
|
||||||
|
*
|
||||||
|
* Must be called in namespace context if @outbound is true.
|
||||||
|
*/
|
||||||
|
static void udp_port_rebind(struct ctx *c, bool outbound)
|
||||||
|
{
|
||||||
|
const uint8_t *fmap
|
||||||
|
= outbound ? c->udp.fwd_out.f.map : c->udp.fwd_in.f.map;
|
||||||
|
const uint8_t *rmap
|
||||||
|
= outbound ? c->udp.fwd_in.f.map : c->udp.fwd_out.f.map;
|
||||||
|
struct udp_splice_port (*socks)[NUM_PORTS]
|
||||||
|
= outbound ? udp_splice_ns : udp_splice_init;
|
||||||
|
unsigned port;
|
||||||
|
|
||||||
|
for (port = 0; port < NUM_PORTS; port++) {
|
||||||
|
if (!bitmap_isset(fmap, port)) {
|
||||||
|
if (socks[V4][port].sock >= 0) {
|
||||||
|
close(socks[V4][port].sock);
|
||||||
|
socks[V4][port].sock = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (socks[V6][port].sock >= 0) {
|
||||||
|
close(socks[V6][port].sock);
|
||||||
|
socks[V6][port].sock = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Don't loop back our own ports */
|
||||||
|
if (bitmap_isset(rmap, port))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if ((c->ifi4 && socks[V4][port].sock == -1) ||
|
||||||
|
(c->ifi6 && socks[V6][port].sock == -1))
|
||||||
|
udp_sock_init(c, outbound, AF_UNSPEC, NULL, NULL, port);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* udp_port_rebind_outbound() - Rebind ports in namespace
|
||||||
|
* @arg: Execution context
|
||||||
|
*
|
||||||
|
* Called with NS_CALL()
|
||||||
|
*
|
||||||
|
* Return: 0
|
||||||
|
*/
|
||||||
|
static int udp_port_rebind_outbound(void *arg)
|
||||||
|
{
|
||||||
|
struct ctx *c = (struct ctx *)arg;
|
||||||
|
|
||||||
|
ns_enter(c);
|
||||||
|
udp_port_rebind(c, true);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* udp_timer() - Scan activity bitmaps for ports with associated timed events
|
* udp_timer() - Scan activity bitmaps for ports with associated timed events
|
||||||
* @c: Execution context
|
* @c: Execution context
|
||||||
|
@ -1197,6 +1257,20 @@ void udp_timer(struct ctx *c, const struct timespec *ts)
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
long *word, tmp;
|
long *word, tmp;
|
||||||
|
|
||||||
|
if (c->mode == MODE_PASTA) {
|
||||||
|
if (c->udp.fwd_out.f.mode == FWD_AUTO) {
|
||||||
|
port_fwd_scan_udp(&c->udp.fwd_out.f, &c->udp.fwd_in.f,
|
||||||
|
&c->tcp.fwd_out);
|
||||||
|
NS_CALL(udp_port_rebind_outbound, c);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (c->udp.fwd_in.f.mode == FWD_AUTO) {
|
||||||
|
port_fwd_scan_udp(&c->udp.fwd_in.f, &c->udp.fwd_out.f,
|
||||||
|
&c->tcp.fwd_in);
|
||||||
|
udp_port_rebind(c, false);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!c->ifi4)
|
if (!c->ifi4)
|
||||||
v6 = 1;
|
v6 = 1;
|
||||||
v6:
|
v6:
|
||||||
|
|
Loading…
Reference in a new issue